Data Security in Cloud Storage and Computing Using the Schmidt-Samoa Public Key Encryption Cryptosystem

Transcription

1 Data Security in Cloud Storage and Computing Using the Schmidt-Samoa Public Key Encryption Cryptosystem Vyas S Department Of Computer Science and Engineering Panimalar Engineering College Chennai, India svyasrao22@gmail.com Abstract Cloud computing is a set of IT services that are provided to a customer over a network on a leased basis and with the ability to scale up or down their service requirements. Usually cloud computing services are delivered by a third party provider who owns the infrastructure. It advantages to mention but a few include scalability, resilience, flexibility, efficiency and outsourcing non-core activities. Cloud computing offers an innovative business model for organizations to adopt IT services without upfront investment. Despite the potential gains achieved from the cloud computing, the organizations are slow in accepting it due to security issues and challenges associated with it. Security is one of the major issues which hamper the growth of cloud. The idea of handing over important data to another company is worrisome; such that the consumers need to be vigilant in understanding the risks of data breaches in this new environment. This paper presents the potential risks in cloud storage where the CSP or unauthorized or malicious users can access sensitive data; the paper proposes strategies in overcoming these issues with the help of The Schmidt-Samoa cryptosystem, an asymmetric cryptographic technique (Public-key cryptography) where the keys (public and private) are defined by the user or the client and hence can be decrypted only by the user avoiding any unauthorized access of data. Index Terms cloud computing, IaaS, PaaS, SaaS, cloud service provider, delivery models, deployment models encryption, cryptography, symmetric, asymmetric, Schmidt-Samoa cryptosystem. I.INTRODUCTION Cloud Computing [1] is a distributed architecture that centralizes server resources on a scalable platform so as to provide on demand computing resources and services. Cloud service providers (CSP s) offer cloud platforms for their customers to use and create their web services, much like internet service providers offer costumers high speed broadband to access the internet. CSPs and ISPs (Internet Service Providers) both offer services. Cloud computing is a model that enables convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications that can be rapidly provisioned and released with minimal management effort or service provider s interaction. In general cloud providers offer three types of services i.e. Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). There are various reasons for organizations to move towards IT solutions that include cloud computing as they are just required to pay for the resources on consumption basis. In addition, organizations can easily meet the needs of rapidly changing markets to ensure that they are always on the leading edge for their consumers.cloud computing appeared as a business necessity, being animated by the idea of just using the infrastructure without managing it. Although initially this idea was present only in the academic area, recently, it was transposed into industry by companies like Microsoft, Amazon, Google, Yahoo! and Salesforce.com. This makes it possible for new startups to enter the market easier, since the cost of the infrastructure is greatly diminished. This allows developers to concentrate on the business value rather on the starting budget. The clients of commercial clouds rent computing power (virtual machines) or storage space (virtual space) dynamically, according to the needs of their business. With the exploit of this technology, users can access heavy applications via lightweight portable devices such as mobile phones, PCs and PDAs. Clouds are the new trend in the evolution of the distributed systems, the predecessor of cloud being the grid. The user does not require knowledge or

2 expertise to control the infrastructure of clouds; it provides only abstraction. It can be utilized as a service of an Internet with high scalability, higher throughput, quality of service and high computing power. Cloud computing providers deliver common online business applications which are accessed from servers through web browser. and designated stakeholders may have access to operate on a specific Private cloud. B. Public cloud Public cloud describes cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned on a fine-grained, selfservice basis over the Internet, via web applications/web services, from an off-site third-party provider who shares resources and bills on a finegrained utility computing basis. It is typically based on a pay-per-use model, similar to a prepaid electricity metering system which is flexible enough to cater for spikes in demand for cloud optimization. Public clouds are less secure than the other cloud models because it places an additional burden of ensuring all applications and data accessed on the public cloud are not subjected to malicious attacks. Figure 1: Cloud computing schema II.CLOUD DEPLOYMENT MODELS In the cloud deployment model [2], networking, platform, storage, and software infrastructure are provided as services that scale up or down depending on the demand. The Cloud Computing model has three main deployment models which are: A. Private cloud Private cloud is a new term that some vendors have recently used to describe offerings that emulate cloud computing on private networks. It is set up within an organization s internal enterprise datacenter. In the private cloud, scalable resources and virtual applications provided by the cloud vendor are pooled together and available for cloud users to share and use. It differs from the public cloud in that all the cloud resources and applications are managed by the organization itself, similar to Intranet functionality. Utilization on the private cloud can be much more secure than that of the public cloud because of its specified internal exposure. Only the organization Figure 2: Deployment models C. Hybrid cloud Hybrid cloud is a private cloud linked to one or more external ernal cloud services, centrally managed, provisioned as a single unit, and circumscribed by a secure network. It provides virtual IT solutions through a mix of both public and private clouds. Hybrid Cloud provides more secure control of the data and applications and allows various parties to access information over the Internet. It also has an open architecture that allows interfaces with other management systems. Hybrid cloud can describe configuration combining a local device, such as a Plug computer with cloud services. It can also describe configurations combining virtual and physical, collocated assets -for

3 example, a mostly virtualized environment that requires physical servers, routers, or other hardware such as a network appliance acting as a firewall or spam filter. III.CLOUD COMPUTING SERVICE DELIVERY MODELS Following on the cloud deployment models, the next security consideration relates to the various Cloud computing service delivery models [3][4]. The three main cloud service delivery models are: high initial cost. The architecture of SaaS-based applications is specifically designed to support many concurrent users at once. Software as a service applications are accessed using web browsers over the Internet therefore web browser security is vitally important. Information security officers will need to consider various methods of securing SaaS applications Characteristics of SaaS: Like other forms of Cloud Computing, it is important to ensure that solutions sold as SaaS in fact comply with generally accepted definitions of Cloud Computing. Some defining characteristics of SaaS include; Web access to commercial software Software is managed from a central location Software delivered in a one to many model Users not required to handle software upgrades and patches Application Programming Interfaces (APIs) allow for integration between different pieces of software B. Platform as a service (PaaS) Figure 3: High level view of could computing architecture A. Software as a Service Software-as-a-Service Service is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.SaaS is becoming an increasingly prevalent delivery model as underlying technologies that support web services and service-oriented architecture (SOA) mature and new developmental approaches become popular. SaaS is also often associated with a pay-as-you-go subscription licensing model. Meanwhile, broadband service has become increasingly available to support user access from more areas around the world. SaaS is most often implemented to provide business software functionality to enterprise customers at a low cost while allowing those customers to obtain the same benefits of commercially licensed, internally operated software without the associated complexity of installation, management, support, licensing, and Platform-as-a-Service (PaaS) is a set of software and development tools hosted on the provider's servers. It is one layer above IaaS on the stack and abstracts away everything up to OS, middleware, etc. This offers an integrated set of developer environment that a developer can tap to build their applications without having any clue about what is going on underneath the service. It offers developers a service that provides a complete software development life cycle management, from planning to design to building applications to deployment to testing to maintenance. Everything else is abstracted away from the view of the developers. Platform as a service cloud layer works like IaaS but it provides an additional level of rented functionality. Clients using PaaS services transfer even more costs from capital investment to operational expenses but must acknowledge the additional constraints and possibly some degree of lock-in posed by the additional functionality layers. The use of virtual machines act as a catalyst in the PaaS layer in Cloud computing. Virtual machines must be protected against malicious attacks such as cloud malware. Therefore maintaining the integrity of applications and well enforcing accurate authentication checks during the transfer of data across the entire networking channels is fundamental.

4 Characteristics of PaaS: There are a number of different takes on what constitutes PaaS but some basic characteristics include Services to develop, test, deploy, host and maintain applications in the same integrated development environment. All the varying services needed to fulfill the application development process Web based user interface creation tools help to create, modify, test and deploy different UI scenarios Multi-tenant architecture where multiple concurrent users utilize the same development application Built in scalability of deployed software including load balancing and failover Integration with web services and databases via common standards Support for development team collaboration some PaaS solutions include project planning and communication tools Tools to handle billing and subscription management C. Infrastructure as a Service (IaaS) Infrastructure as a Service is a single tenant cloud layer where the Cloud computing vendor s dedicated resources are only shared with contracted clients at a pay-per-use fee. This greatly minimizes the need for huge initial investment in computing hardware such as servers, networking devices and processing power. They also allow varying degrees of financial and functional flexibility not found in internal data centers or with collocation services, because computing resources can be added or released much more quickly and cost-effectively than in an internal data center or with a collocation service. IaaS and other associated services have enabled startups and other businesses focus on their core competencies without worrying much about the provisioning and management of infrastructure. IaaS completely abstracted the hard ware beneath it and allowed users to consume infrastructure as a service without bothering anything about the underlying complexities. The cloud has a compelling value proposition in terms of cost, but out of the box IaaS only provides basic security (perimeter firewall, load balancing, etc.) and applications moving into the cloud will need higher levels of security provided at the host. Characteristics of IaaS: As with the two previous sections, SaaS and PaaS, IaaS is a rapidly developing field. That said there are some core characteristics which describe what IaaS is. IaaS is generally accepted to comply with the following; Resources are distributed as a service Allows for dynamic scaling Variable cost, utility pricing model Generally includes multiple users on a single piece of hardware IV.SECURITY ISSUES IN CLOUD COMPUTING Organizations use the Cloud in a variety of different service models (SaaS, PaaS, and IaaS) and deployment models (Private, Public, and Hybrid). There are a number of security [5] issues/concerns associated with cloud computing but these issues fall into two broad categories: security issues faced by cloud providers (organizations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers. The responsibility goes both ways, however: the provider must ensure that their infrastructure is secure and that their clients data and applications are protected while the user must ensure that the provider has taken the proper security measures to protect their information, and the user must take measures to use strong passwords and authentication measures A. Security Where is your data more secure, on your local hard driver or on high security servers in the cloud? Some argue that customer data is more secure when managed internally, while others argue that cloud providers have a strong incentive to maintain trust and as such employ a higher level of security. However, in the cloud, your data will be distributed over these individual computers regardless of where your base repository of data is ultimately stored. Industrious hackers can invade virtually any server, and there are the statistics that show that one-third of breaches result from stolen or lost laptops and other devices and from employees accidentally exposing data on the Internet, with nearly 16 percent due to insider theft. B. Privacy Different from the traditional computing model, cloud computing utilizes the virtual computing technology, users personal data may be scattered in various virtual data center rather than stay in the same physical location, even across the national borders, at this time, data privacy protection will face

5 the controversy of different legal systems. On the other hand, users may leak hidden information when they accessing cloud computing services. Attackers can analyze the critical task depend on the computing task submitted by the users. C. Reliability Servers in the cloud have the same problems as your own resident servers. The cloud servers also experience downtimes and slowdowns, what the difference is that users have a higher dependent on cloud service provider (CSP) in the model of cloud computing. There is a big difference in the CSP s service model, once you select a particular CSP, you may be locked-in, thus bring a potential business secure risk. D. Legal Issues Regardless of efforts to bring into line the lawful situation, as of 2009, supplier such as Amazon Web Services provide to major markets by developing restricted road and rail network and letting users to choose availability zones. On the other hand, worries stick with safety measures and confidentiality from individual all the way through legislative levels. E. Open Standard Open standards are critical to the growth of cloud computing. Most cloud providers expose APIs which are typically well-documented but also unique to their implementation and thus not interoperable. Some vendors have adopted others' APIs and there are a number of open standards under development, including the OGF's Open Cloud Computing Interface. The Open Cloud Consortium (OCC) is working to develop consensus on early cloud computing standards and practices. F. Compliance Numerous regulations pertain to the storage and use of data require regular reporting and audit trails, cloud providers must enable their customers to comply appropriately with these regulations. Managing Compliance and Security for Cloud Computing, provides insight on how a top-down view of all IT resources within a cloud-based location can deliver a stronger management and enforcement of compliance policies. In addition to the requirements to which customers are subject, the data centers maintained by cloud providers may also be subject to compliance requirements. G. Freedom Cloud computing does not allow users to physically possess the storage of the data, leaving the data storage and control in the hands of cloud providers. Customers will contend that this is pretty fundamental and affords them the ability to retain their own copies of data in a form that retains their freedom of choice and protects them against certain issues out of their control whilst realizing the tremendous benefits cloud computing can bring. H. Long-term Viability You should be sure that the data you put into the cloud will never become invalid even your cloud computing provider go broke or get acquired and swallowed up by a larger company. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application. V.CRYPTOGRAPHY Cryptography [6] is the most common technique for ensuring a secure communication between two parts in the presence of a third party. If A and B send messages to each other, and they do not want others to read or change the content of their messages, then it means that they want to have a secure communication. In this communication, a transmission medium T is used, i.e. A sends his message to B via T. A third party, who wants to interfere this communication by accessing/changing the message, is called an intruder I. whenever a message is on its way towards the destination, it is in danger of being accessed by I, who can perform the following actions: 1. He can block the message, so it never reaches its destination, and thus the availability is violated. 2. He can intercept the message, so it is not secret anymore, and thereby the confidentiality is destroyed. 3. He can change the content of the message, and by that the integrity is violated. 4. He can fake a message and impersonate the sender A, and send the message to B. This violates also the integrity of the message. VI.ENCRYPTION AND DECRYPTION Encryption is the process of translating plain text data (plaintext) into something that appears to be random and meaningless (cipher text). Decryption is the process of converting cipher text back to plaintext.

6 To encrypt more than a small amount of data, symmetric encryption is used. A symmetric key is used during both the encryption and decryption processes. To decrypt a particular piece of cipher text, the key that was used to encrypt the data must be used. The goal of every encryption algorithm is to make it as difficult as possible to decrypt the generated cipher text without using the key. If a really good encryption algorithm is used, there is no technique significantly better than methodically trying every possible key. For such an algorithm, the longer the key, the more difficult it is to decrypt a piece of cipher text without possessing the key. 1. Symmetric Algorithms There are two most famous symmetric algorithms, namely Data Encryption Standard (DES) and Advanced Encryption Standard (AES). Another symmetric algorithm, which is a public domain algorithm, is called Blowfish. We will briefly explain these algorithms and their security issues. Data Encryption Standard (DES) One of the well-known symmetric algorithms is Data Encryption Standard (DES). It is a block cipher with the block size of 64 bits. Advanced Encryption Standard (AES) AES is a block cipher with a block size of 128 bits. The key length for AES is not fixed, so it can be 128, 192, 256 and possibly more bits. 2. Asymmetric Algorithms One of the main reasons why asymmetric cryptography was invented is because symmetric cryptography is not suitable for communication in a big network with a large number of users. There is a key distribution problem. Each user has to have/remember the secret key of all other users, with whom he communicates. The Rabin cryptosystem The Rabin cryptosystem is an asymmetric cryptographic technique, whose security, like that of RSA, is related to the difficulty of factorization. However the Rabin cryptosystem has the advantage that the problem on which it relies has been proved to be as hard as integer factorization, which is not currently known to be true of the RSA problem. It has the disadvantage that each output of the Rabin function can be generated by any of four possible inputs; if each output is a cipher text, extra complexity is required on decryption to identify which of the four possible inputs was the true plaintext. RSA cryptosystem RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem. RSA stands for Ron Rivest, Adi Shamir and Leonard Adleman, who first publicly described the algorithm in Clifford Cocks, an English mathematician, had developed an equivalent system in 1973, but it wasn't declassified until Here we use the Schmidt-Samoa cryptosystem to implement secure data transmission and storage in the cloud VII.THE PROPOSED MODEL The data sent by the SaaS or PaaS or IaaS user is first encrypted using the public key known to the all the users of the client organization and transmitted to the cloud and stored in the cloud. While leveraging the computational and analytical services of the CSP the authorized or privileged or top level or root user alone who also knows the private key uses it to decrypt the data and encrypt is again after the analysis. The same applies for retrieving the data; users can retrieve the data only if the root user grants permission by employing the private key. This system implements a strict scheme on who can access the data in the organization and also protects the CSP or malicious users from accessing the data. The Schmidt-Samoa cryptosystem: The Schmidt-Samoa cryptosystem [8] is an asymmetric, public key encryption [7] cryptographic technique, whose security, like Rabin depends on the difficulty of integer factorization. Unlike Rabin this algorithm does not produce an ambiguity in the decryption at a cost of encryption speed.

7 1. Choose two large distinct primes p and q and compute N = p^2q 2. Compute d = N mod LCM (p-1,q-1) Now N is the public key and d is the private key Encryption: To encrypt a message m we compute the cipher text as c = m^n mod N. Decryption: To decrypt a ciphertext c we compute the plaintext as m = c^d mod pq. Which like for Rabin and RSA can be computed with the Chinese remainder theorem. Now to verify: m = c^d mod pq, m= 2681^41 mod (13) (17), m = 2681^41 mod 221, m = 22. The encrypted and transmitted message can be successfully decrypted only by the receiver who knows the private key d. VIII.SECURITY The algorithm is based on the difficulty of factoring the modulus N, which is a distinct advantage over RSA. That is, it can be shown that if there exists an algorithm that can decrypt arbitrary messages, then this algorithm can be used to factor N. The above stated example is for explanatory purpose, usually the two primes are very large numbers resulting in huge public and private keys and the messages transmitted cannot be decrypted unless the exact private key is known. IX.CONCLUSION Figure 4: Encryption and decryption schema Example: p = 13, q = 17, N = p^2q = 2873, d = N mod LCM (p-1, q-1), d = 2873 mod LCM (12, 16), d = 2873 mod 48, d=41. Now, assume the message to be sent is 22 m = 22, c = m^n mod N, c = 22^2873 mod 2873, c = (cipher text) After discussing the security issues, it is obvious that we should be careful about the security concerns while putting our business on Cloud. The security model should be probably secure. Once the organization takes the decision to move to the cloud, it loses control over the data. Thus, the amount of protection needed to secure data is directly proportional to the value of the data. Security of the Cloud relies on trusted computing and cryptography. Only the authenticated and authorized user can access the data, even if some unauthorized user gets the data accidentally or intentionally and if captures the data also, user cannot decrypt the data and get back the original data from it. In this paper, we propose a model which integrates the Schmidt-Samoa Samoa cryptosystem, an asymmetric-key encryption algorithm to the data in the cloud. This improves the transmission and storage security of the client s data in the cloud and prevents unauthorized access of data.

8 X.REFERENCES [1] [2] [3] [4] y/cl-cloudservices1iaas/ [5] [6]Cryptography and Network Security: Principles and Practice by William Stallings [7] [8] Samoa_cryptosystem